split the low-level file handling functions out from auth2-pubkey.c

Put them in a new auth2-pubkeyfile.c to make it easier to refer to them
(e.g. in unit/fuzz tests) without having to refer to everything else
pubkey auth brings in.

ok dtucker@

1 files changed, 1 insertions, 93 deletions

diff --git a/usr.bin/ssh/auth.c b/usr.bin/ssh/auth.c
index 9fff5c1156e..93b56340d6a 100644
--- a/usr.bin/ssh/auth.c
+++ b/usr.bin/ssh/auth.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth.c,v 1.156 2022/05/27 05:01:25 djm Exp $ */
+/* $OpenBSD: auth.c,v 1.157 2022/05/27 05:02:46 djm Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  *
@@ -833,95 +833,3 @@ auth_restrict_session(struct ssh *ssh)
 		fatal_f("failed to restrict session");
 	sshauthopt_free(restricted);
 }
-
-int
-auth_authorise_keyopts(struct passwd *pw, struct sshauthopt *opts,
-    int allow_cert_authority, const char *remote_ip, const char *remote_host,
-    const char *loc)
-{
-	time_t now = time(NULL);
-	char buf[64];
-
-	/*
-	 * Check keys/principals file expiry time.
-	 * NB. validity interval in certificate is handled elsewhere.
-	 */
-	if (opts->valid_before && now > 0 &&
-	    opts->valid_before < (uint64_t)now) {
-		format_absolute_time(opts->valid_before, buf, sizeof(buf));
-		debug("%s: entry expired at %s", loc, buf);
-		auth_debug_add("%s: entry expired at %s", loc, buf);
-		return -1;
-	}
-	/* Consistency checks */
-	if (opts->cert_principals != NULL && !opts->cert_authority) {
-		debug("%s: principals on non-CA key", loc);
-		auth_debug_add("%s: principals on non-CA key", loc);
-		/* deny access */
-		return -1;
-	}
-	/* cert-authority flag isn't valid in authorized_principals files */
-	if (!allow_cert_authority && opts->cert_authority) {
-		debug("%s: cert-authority flag invalid here", loc);
-		auth_debug_add("%s: cert-authority flag invalid here", loc);
-		/* deny access */
-		return -1;
-	}
-
-	/* Perform from= checks */
-	if (opts->required_from_host_keys != NULL) {
-		switch (match_host_and_ip(remote_host, remote_ip,
-		    opts->required_from_host_keys )) {
-		case 1:
-			/* Host name matches. */
-			break;
-		case -1:
-		default:
-			debug("%s: invalid from criteria", loc);
-			auth_debug_add("%s: invalid from criteria", loc);
-			/* FALLTHROUGH */
-		case 0:
-			logit("%s: Authentication tried for %.100s with "
-			    "correct key but not from a permitted "
-			    "host (host=%.200s, ip=%.200s, required=%.200s).",
-			    loc, pw->pw_name, remote_host, remote_ip,
-			    opts->required_from_host_keys);
-			auth_debug_add("%s: Your host '%.200s' is not "
-			    "permitted to use this key for login.",
-			    loc, remote_host);
-			/* deny access */
-			return -1;
-		}
-	}
-	/* Check source-address restriction from certificate */
-	if (opts->required_from_host_cert != NULL) {
-		switch (addr_match_cidr_list(remote_ip,
-		    opts->required_from_host_cert)) {
-		case 1:
-			/* accepted */
-			break;
-		case -1:
-		default:
-			/* invalid */
-			error("%s: Certificate source-address invalid", loc);
-			/* FALLTHROUGH */
-		case 0:
-			logit("%s: Authentication tried for %.100s with valid "
-			    "certificate but not from a permitted source "
-			    "address (%.200s).", loc, pw->pw_name, remote_ip);
-			auth_debug_add("%s: Your address '%.200s' is not "
-			    "permitted to use this certificate for login.",
-			    loc, remote_ip);
-			return -1;
-		}
-	}
-	/*
-	 *
-	 * XXX this is spammy. We should report remotely only for keys
-	 *     that are successful in actual auth attempts, and not PK_OK
-	 *     tests.
-	 */
-	auth_log_authopts(loc, opts, 1);
-
-	return 0;
-}